New Report Says Most Car Companies Couldn't Counter a Cyber Attack

Automakers are ill-equipped to handle the growing scope of cyber threats faced by cars on American roads, a critical new report charges.

Although almost all new cars include wireless technologies that provide hackers with entry points into vehicles, car companies lack fundamental understanding of how these systems work and have little clue how to defend them, according to the report, which was released Monday by U.S. Senator Ed Markey (D-Mass).

Only two automobile manufacturers of the 16 surveyed could describe how they would respond to a real-time infiltration of a vehicle, the report said. Six manufacturers avoided answering the question on their response time entirely, and six more answered with "vague mentions" of "appropriate actions."

"Drivers have come to rely on these new technologies, but unfortunately the automakers haven't done their part to protect us from cyber-attacks or privacy invasions," Markey said in a written statement.

It's no secret that infotainment features like smartphone integration, turn-by-turn navigation and vehicle performance monitors have rendered cars vulnerable to hackers. A growing number of researchers have exploited cyber weaknesses and demonstrated the ability to control a car's critical functions. Just last week, German researchers announced they hacked BMW's Connected Drive system and remotely locked and unlocked car doors.

Cyber-security experts have been warning automakers their efforts to thwart hackers have been insufficient, but Markey's harsh report marks the first time that criticism has come from an elected official. Among his findings:

Nearly 100 percent of new cars sold in the U.S. contain technologies that expose them to hacking or privacy intrusions.

Only two manufacturers could describe their capability to diagnose or meaningfully respond to a real-time infiltration, and "most say they rely on technologies that cannot be used for this purpose at all."

Measures to prevent hacks are "inconsistent and haphazard" across the industry, and many manufacturers didn't seem to even understand the questions posed by Markey and his staff.

Of the 12 companies that responded to a question on how they secured new software deliveries, all began with a presumption that a hacker couldn't access the same technologies that ordinary mechanics possess.

Cyber-security experts have warned that automakers' efforts at thwarting hacks have been insufficient in recent years, but car companies have countered by assuring motorists that appropriate security was in place, even if they divulged scant details. But that response has crumbled in the face of almost-weekly reports of researchers finding new ways to breach the security in vehicles. Last week, it was BMW. This week, there's an upcoming 60 Minutes report of white-hat researchers remotely controlling a Chevy Impala via an infiltration of its OnStar telematics unit.

From automakers, "there's some pushback on 'why create technology for a threat that's not imminent,'" said Chris Valasek, director of vehicle security research at IOActive. "It is costly, but at the same time, no one wants to be the first one hit by this kind of attack. I'd rather work on it now, rather than panic when it happens ... it's up to everyone involved in the landscape to be vigilant on their security."

Privacy Breaches Are of Equal Concern

The same technologies that leave cars ripe for hacking are also exposing motorists to overruns of their privacy. Markey's report found automobile manufacturers are collecting large amounts of data on driving history and vehicle performance from unsuspecting motorists.

That data is often wirelessly transmitted to data centers run by both car companies and third-party vendors. Manufacturers use this data, "often vaguely, to 'improve the customer driving experience,'" the report noted.

Last month at CES, one automaker touted its ability to gather such specific data that it can analyze what radio stations drivers are listening to at given speeds. "OEM's are doing crazy, crazy analytics," Kelley Blue Book analyst Akshay Anand previously told Autoblog. "They will start to use that in a much smarter way. ... Most of it will be internal."

The Government Accountability Office issued a report last year that called on automakers to be more transparent in how they handle that customer data, and manufacturers agreed to a set of principles that strengthened those protections. But Markey's report said those principles don't go far enough in safeguarding motorists.